Security News

A critical vulnerability in a popular WordPress plugin called WP File Manager was spotted on Tuesday and was quickly patched by the plugin's developers. Which allows arbitrary file uploads and remote code execution on WordPress websites, is already being actively exploited.

The highly popular WordPress plugin File Manager this week received a patch to address an actively exploited zero-day vulnerability. Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.

The owners and administrators of e-commerce websites powered by WordPress and the WooCommerce platform have been warned of attacks exploiting vulnerabilities discovered recently by researchers in a discounts plugin. The flaws were identified on August 7 by researchers at web security company WebARX in Discount Rules for WooCommerce, a plugin that has been installed on over 30,000 websites and which allows users to create various types of discounts for their products.

The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. "Any of the 30,000 sites running the plugin are subject to any file being deleted, which includes the wp-config.php file, by unauthenticated site users."

Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover. The Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress.

Researchers are warning of a critical vulnerability in a WordPress plugin called Comments - wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files and ultimately execute remote code on vulnerable website servers.

A popular WordPress search engine optimisation plugin with around two million installs could have been abused to hijack a target website, according to a threat intel firm. "This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel's 'all posts' page," said WordPress-focused infosec biz Wordfence in a blog post about the vuln in the All in One SEO Pack plugin.

The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers. In May for instance, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that's used to build websites via a drag-and-drop function, was found to harbor two flaws that could allow full site takeover.

Security researchers at WordFence, a company that's focused on securing WordPress, have reported a burst of old-school attacks that are after your WordPress configuration data. This file is located in the root of your WordPress file directory and contains your website's base configuration details, such as database connection information.

A threat actor that attempted to insert a backdoor into nearly a million WordPress-based sites in early May, tried to grab WordPress configuration files of 1.3 million sites at the end on the same month. "The previously reported XSS campaigns sent attacks from over 20,000 different IP addresses. The new campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted. This campaign is also attacking nearly a million new sites that weren't included in the previous XSS campaigns," Wordfence threat analyst Ram Gall shared.